I have a GWTP application (app1) calling another GWTP application (app2). The first sets a SecurityCookie as the second one.
If app1 is on new session, and this opens app2, everything works. If I close my browser and turn on app1 in new session without wiping the browser cache, app1 calls app2 and prints the following error:
SEVERE: Cookie provided by RPC does not match request cookie, aborting action, possible XSRF attack. (Maybe you forgot to set the security cookie?)
Without more info it's hard to provide an exact solution, but this is a known issue in GWTP, because the
RandomSecuritySessionFilterchanges the cookie each time a new RPC request is issued.See this github issue here. It's rather long but worth the read if you want to understand the problem.
In my own app I dispatch about 5 async RPC calls at once and kept getting the same error as you in development mode, but much more rarely in production (due to the development server being so fast that calls return in a much more random fashion). So as a hack I turned off the cookie in development mode because it was making my life so difficult.